Re: Extract username with comma

loorimar · ‎01-30-2012

I have the following syslog

Jan 30 14:34:05 10.234.150.21 Jan 30 13:34:05 DEN-COLO-VBN-CTRL-01 stm[10699]: <305007> AP Smith, John replacement bootstrapped

I am trying to extract "John Smith" as the username. The closest I have gotten so far:

(?:[^-\n]*-){8}\d+\s+\d+.\d+.\d+.\d+>\s+\w+\s+(?P[^,]+),(?P\s+\w+)

which extracts "John" as the First Name and "Smith" as the last name. Can I concatenate the two somehow? Also having the username as "Smith, John" would work as well.

Any thoughts?

Brian_Osburn · ‎01-30-2012

You can use an eval command to create a new field:

| eval fullname= fieldname1 . " " . fieldname2

That'll create a field called fullname that's = "John Smith"

Brian

loorimar · ‎01-30-2012

Thanks Brian,

That's very cool. Ideally I would like to have this extracted into a single field at search time so I don't have to eval it as part of the search.

Extract username with comma

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation